mirror of https://github.com/CISOfy/lynis.git
Added GRUB2 detection on empty /boot
This commit is contained in:
mboelen
parent
f0292d3653
commit
08f77d2531
|
|
@ -25,6 +25,7 @@
|
||||||
Display --indent 2 --text "- Checking boot loaders"
|
Display --indent 2 --text "- Checking boot loaders"
|
||||||
BOOT_LOADER="Unknown"
|
BOOT_LOADER="Unknown"
|
||||||
BOOT_LOADER_FOUND=0
|
BOOT_LOADER_FOUND=0
|
||||||
|
GRUB_VERSION=0
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
|
|
@ -38,8 +39,42 @@
|
||||||
FOUND=1
|
FOUND=1
|
||||||
BOOT_LOADER="GRUB"
|
BOOT_LOADER="GRUB"
|
||||||
BOOT_LOADER_FOUND=1
|
BOOT_LOADER_FOUND=1
|
||||||
|
GRUB_VERSION=1
|
||||||
Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN
|
Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN
|
||||||
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
|
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# GRUB2 configuration file
|
||||||
|
if [ -f /boot/grub/grub.cfg ]; then
|
||||||
|
FOUND=1
|
||||||
|
BOOT_LOADER="GRUB2"
|
||||||
|
BOOT_LOADER_FOUND=1
|
||||||
|
GRUB_VERSION=2
|
||||||
|
GRUBCONFFILE="/boot/grub/grub.cfg"
|
||||||
|
Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN
|
||||||
|
logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)"
|
||||||
|
# YYY password check, when documentation of GRUB2 project is improved
|
||||||
|
# YYY Add check permission check (600)
|
||||||
|
if [ -d /boot ]; then
|
||||||
|
if [ `ls /boot/* 2> /dev/null` -a ! "${GRUB2INSTALLBINARY}" = "" ]; then
|
||||||
|
logtext "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
|
||||||
|
Display --indent 4 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
|
||||||
|
ReportManual "${TEST_NO}:01"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ${FOUND} -eq 0 ]; then
|
||||||
|
logtext "Result: no GRUB configuration file found."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : BOOT-5122
|
||||||
|
# Description : Check for GRUB boot loader configuration
|
||||||
|
if [ ! "${GRUBCONFFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
|
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for GRUB boot password"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
|
logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
|
||||||
FileIsReadable ${GRUBCONFFILE}
|
FileIsReadable ${GRUBCONFFILE}
|
||||||
if [ ${CANREAD} -eq 1 ]; then
|
if [ ${CANREAD} -eq 1 ]; then
|
||||||
|
|
@ -51,7 +86,7 @@
|
||||||
logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
|
logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
|
||||||
logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
|
logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
|
||||||
logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
|
logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
|
||||||
ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader"
|
ReportSuggestion ${TEST_NO} "M" "Set a password on GRUB bootloader to prevent altering configuration"
|
||||||
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
|
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
|
||||||
AddHP 0 2
|
AddHP 0 2
|
||||||
else
|
else
|
||||||
|
|
@ -63,23 +98,6 @@
|
||||||
logtext "Result: Can not read ${GRUBCONFFILE} (no permission)"
|
logtext "Result: Can not read ${GRUBCONFFILE} (no permission)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# GRUB2 configuration file
|
|
||||||
if [ -f /boot/grub/grub.cfg ]; then
|
|
||||||
FOUND=1
|
|
||||||
BOOT_LOADER="GRUB2"
|
|
||||||
BOOT_LOADER_FOUND=1
|
|
||||||
Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN
|
|
||||||
logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)"
|
|
||||||
# YYY password check, when documentation of GRUB2 project is improved
|
|
||||||
# YYY Add check permission check (600)
|
|
||||||
ReportManual "${TEST_NO}:01"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ${FOUND} -eq 0 ]; then
|
|
||||||
logtext "Result: no GRUB configuration file found."
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
#
|
#
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue